Russian troops invaded Georgia's South Ossetia on Friday, but Russian attacks on Georgia’s major Web sites and overall Internet access began a day earlier. That’s according to Jart Armin, editor of RBNexploit—the community blog that has been leading the reporting and analysis efforts on digital security in Eastern Europe this week, even as Russian officials ordered a stand-down today.

Official Georgian domains are currently so unreliable that the country is now using a Google-run Blogspot Web site to host information from the Georgia Ministry of Foreign Affairs.

RBNexploit describes itself as a small group of concerned Internet security experts who track the cybercriminal activity, specifically of the Russian Business Network (RBN), a group that's been widely associated with criminal activity—most frequently with identity theft, organized crime and denial-of-service attacks. RBNexploit has published a map of Russian attacks on Georgian servers. We spoke on Monday with RBNexploit's editor, digital-security blogger Jart Armin, to try to make sense of the nonphysical elements of Russia's attack on Georgia. Today, Armin followed up with us and reported that Web access in Georgia has improved significantly, partly because the Russian attacks have scaled back and partly because of support provided to Georgia by other European backbone servers. —S.E. Kramer

What is going on in Georgia right now?
The first development of the cyberwar (which is really one-sided), between Russia and Georgia was on the 20th of July when we started to notice some hack attempts on the Web site of the president [Mikheil Saakashvili] of Georgia. They were coming from known cybercriminal servers inside Russia. That hack seemed to be a test because the sites went back online after a few hours and the attacks stopped.

Then, as of last Thursday, came a full-blown attack which can only be described as a cybersiege on the whole of Georgia's Internet space. It's basically being controlled now by a group of five all-Russian servers and one Turkish server, which is under some sort of direction from Russian cyberspace.

You're in a position now where it's very patchy trying to get any Internet communication in and out of Georgia since Thursday. Particularly the president's Web site will come on and then go back off again. Basically the reason [it comes back on] is that there are two sides to this war: people who want to open up and break the siege, and whoever in Russia is controlling this. We believe it's cybercriminal elements hired by the Russian government who are trying to close these routes down as they are opened up.

Does the RBN have a reason to attack Georgia, or do you believe that the Russian government has hired it?
Basically the RBN started as a very crude hacking group, hiring out expensive Web hosting to hide different users, particularly for the use of malware, cybercriminal usage, even child pornography. In the middle of last year, May 2007, we saw the first signs of them being hired [for international attacks] or being used by Russian government groups to actually start to take down Estonian government Web sites, which is pretty well reported. Although those [sites] came back online, what you have seen more recently is the attack on Lithuania's Internet infrastructure, by the same groups and same methods as the RBN used. It just happened to be at the same time as the president [Valdas Adamkus] of Lithuania's visit to Washington, D.C.

It seems to be a pattern: When Russia's neighbors start talking to NATO and get involved with the European community, or work to get better relations with the U.S., they start to come under attack. The attacks are ways of stifling the government's information activities. From Thursday, the day before the Russian troops invaded, you had the full-blown cybersiege in place. Basically no Georgian Web sites were available and a great amount of traffic was stopped. If you actually use the trace routes and see these servers in action, they were simply blockading all routes in and out of Georgia.

How does one fight a war like this? Can you do it from within Georgia? Or once those servers are shut down, is it something that has to be done from outside?
Two things. The smaller neighbors of Russia should watch out who controls their next stage of Internet servers, the actual pipelines. Unfortunately for Georgia, they had an agreement where the main switch for most of Georgia's Internet is through Moscow. Very logically, it's submarine fiber roots; you can read about [it] on the CIA Web site, which actually shows the limitations of Georgia, the near-reliance on physical routing through Russia. Georgia gets taken offline fairly easily because Russia is simply blocking all traffic coming in and out. Estonia learned last year; Lithuania is learning now, as even Ukraine is starting to learn, and a few others—they have to start looking for alternative rooting for the Internet for their countries or else they're going to end up in the same situation as Georgia.

The lesson here seems to be "don't route your internet through Russia." Does that mean that it would be harder for companies like the RBN to attack countries that are not near Russia? Does the U.S. have reason to worry?
You're hearing this first—we were given information on tracking of a particular botnet that's being used. This is pretty worrying because it has ended up in a fast-act corporation. This looks like it's actually on U.S. soil now. So part of these attacks can come from many different routes. That's the advantage but also the problem of the Internet. We also saw that one of the main servers of government Web sites in Georgia actually had a U.S. server address. We have not been able to contact that server, which is based in Atlanta, for four days, and the whole server has been offline.

So one can say that this is very worrying for the U.S. and other countries. The problem is that people can simply go on servers and use a credit card to buy whole swaths of Internet space and IP addresses and so on. These can be used as weapons against us as well. It's particularly worrying when you consider how easy it is to acquire some of this routing through U.S. servers or European servers or elsewhere.

The RBN has always been very adept at using these routes because you simply buy them, use a false credit card, use a false name, and register domains under false names, and you're in business.

When do you think Georgia will get its Internet back?
This is a two-way fight. It's interesting to me that one of the major Russian news servers, RIA Novosti, was taken offline on Sunday night/Monday morning. They're back online, but now you have a lot of Russian discussions about how was it that they got attacked. Of course, that's part of what's happening here. You get this level of activity between various factions.

You will start to get this attack and counterattack—people in Georgia and in the world who are looking to return the favor.

Besides counterattacking, is there any way to defend yourself?
One way is not to rely too much on purely directed, solely physical pipelines, as has unfortunately proved a problem for Georgia. It also proves a problem for most of Eastern Europe. Hopefully one of the lessons learned is that these countries start to look at wider Internet services. Governments will start to look at making sure that certain countries don't have a monopoly of control over these pipelines.

Another way is to ensure that you have multiple name servers, which would also have helped Georgia. Let's say their sites were mirrored on U.S. servers, maybe Western Europe, maybe even Asia. This parallel, this mirroring of Web sites helps because even if one server is attacked, at least the other servers could come into action.